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Abstract. Based on a new coinductive characterization of continuous functions we ex- 
tract certified programs for exact real number computation from constructive proofs. The 
extracted programs construct and combine exact real number algorithms with respect 
to the binary signed digit representation of real numbers. The data type correspond- 
ing to the coinductive definition of continuous functions consists of finitely branching 
non-wellfounded trees describing when the algorithm writes and reads digits. We discuss 
several examples including the extraction of programs for polynomials up to degree two 
and the definite integral of continuous maps. This is a revised and substantially extended 
version of the conference paper [6]. 



Most of the recent work on exact real number computation describes algorithms for functions 
on certain exact representations of the reals (for example streams of signed digits [T9] 
or linear fractional transformations |17j ) and proves their correctness using a certain proof 
method (for example coinduction |16 1llli [8ll30j). Our work has a similar aim, and builds on 
the work cited above, but there are two important differences. The first is methodological: 
we do not 'guess' an algorithm and then verify it, instead we extract it from a proof, by some 
(once and for all) proven correct method. That this is possible in principle is well-known. 
Here we want to make the case that it is also feasible, and that interesting and nontrivial 
new algorithms can be obtained (see also [331 19] for related work on program extraction 
in constructive analysis and inductive definitions). The second difference is algorithmic: 
our method represents a uniformly continuous real function not by a function operating on 
representations of reals, but by an infinite tree that contains information not only about the 
real function as a point map, but also about its modulus of continuity. Since the representing 
tree is a pure data structure (without function component) a lazy programming language, 
like Haskell, will memoize computations which improves performance in certain situations. 

A crucial ingredient in the proofs (that we use for program extraction) is a coinductive 
definition of the notion of uniform continuity (u. c). Although, classically, continuity and 
uniform continuity are equivalent for functions defined on a compact interval (we only 
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consider such functions), it is a suitable constructive definition of uniform continuity which 
matters for our purpose. For convenience, we consider as domain and range of our functions 
only the interval I := [—1, 1] = {x G M | |x| < 1} and, for the purpose of this introduction, 
only unary functions. However, later we will also look at functions of several variables where 
one has to deal with the non-trivial problem of choosing the input streams from which the 
next digit is consumed, a choice which can have a big influence on the performance of the 
program. 

We let SD := {—1, 0, 1} be the set of (binary) signed digits. By SDS we denote the set 
of all infinite streams a = oq : ai : a2 : . . . of signed digits Oj G SD. A signed digit stream 
a G SDS represents the real number 

a{a) :=^ai2-(^+^) Gl 

j>0 

A function / : I — )• I is represented by a stream transformer / : SDS — )• SDS if / o o" = o" o /. 
The coinductive definition of uniform continuity, given in Sect. [3l allows us to extract 
from a constructive proof of the u. c. of a function / : I — > I an algorithm for a stream 
transformer / representing /. Furthermore, we show directly and constructively that the 
coinductive notion of u. c. is closed under composition. The extracted stream transformers 
are represented by finitely branching non-wellfounded trees which, if executed in a lazy 
programming language, give rise to memoized algorithms. These trees turn out to be 
closely related to the data structures studied in [21 1 '22], and the extracted program from 
the proof of closure under composition is a generalization of the tree composing program 
defined there. 

In Sect. O we briefly review inductive and coinductive sets defined by monotone set 
operators. We give some simple examples, among them a characterization of the real num- 
bers in the interval I by a coinductive predicate Cq. The method of program extraction 
from proofs involving induction and coinduction is discussed informally, but in some detail, 
in Sect. [3j The earlier examples are continued and a program transforming fast Cauchy 
representations into signed digit representations is extracted from a coinductive proof. In 
Sect, m the coinductive characterization Cq of real numbers is generalized to nested coin- 
ductive/inductive predicates characterizing uniformly continuous real functions of n 
arguments, and closure under composition is proven. In Sect. [5l we study wellfounded in- 
duction from the perspective of program extraction and introduce the notion of a digital 
system as a technical tool for showing that certain families of functions are contained in C^. 
The positive effect of memoization is demonstrated by a case study on iterated logistic maps 
(which are special polynomials of degree 2). Furthermore, we prove that the predicates 
capture precisely uniform continuity. In Sect. [6] we extract a program for integration from 
a proof that the deflnite integral on I of a function in Ci can be approximated by rational 
numbers with any given precision. 

The extracted programs are shown in the functional programming language Haskell. 
As Haskell's syntax is very close to the usual mathematical notation for data and functions 
we hope that also readers not familiar with Haskell will be able to understand the code. 
The Haskell code shown in this paper is self contained and can be obtained from the author 
on request. 
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2. Induction and coinduction 



We briefly discuss inductive and coinductive definitions as least and greatest fixed points of 
monotone set operators and the corresponding induction and coinduction principles. The 
results in this section are standard and can be found in many logic and computer science 
texts. For example in [M] inductive definitions are proof-theoretically analysed, and in [13] 
least and greatest fixed points are studied in the framework of the modal mu-calculus. 

An operator <I>: V{U) 'PiU) (where U is an arbitrary "universal" set and V(U) is 
the powerset of U) is monotone if for all X,Y Q U 



A set X CU is ^-closed (or a pre-fixed point of if ^{X) C X. Since V{U) is a complete 
lattice, $ has a least fixed point (Knaster-Tarski Theorem). For the sake of readability 
we will sometimes write jjiX.^{X) instead of fi^. can be defined as the least ^-closed 
subset of U . Hence we have the closure principle for ^<1>, $(//$) C ^$ and the induction 
principle stating that for every X C [/, if ^{X) C X, then ^<1> C X. It can easily be shown 
that /i<l> is even a fixed point of i. e. $(//$) = (Lambek's Lemma). For monotone 
operators <I>, ^'i P(f/) V{U) we define 



It is easy to see that the operation /i is monotone, i. e. if <1> C ^I', then C . Using 
monotonicity of ^ one can easily prove, by induction, a principle, called strong induction. 
It says that, if $(X n //$) C X, then C X. 

Dual to inductive definitions are coinductive definitions. A subset X oi U is called 
^-coclosed (or a post-fixed point of ^) if X Q ^{X). By duality, $ has a largest fixed 
point z^<l> which can be defined as the largest <l>-coclosed subset of U. Similarly, all other 
principles for induction have their coinductive counterparts. To summarise, we have the 
following principles: 



Example 2.1 (natural numbers). Define $ : V{R) V{R) by 

«>(X) :={0}U{y + l\ yeX} = {x\x = 0\j3yeX{x = y + l)} 

Then /i$ = N = {0, 1,2,...}. We consider this as the definition of the natural numbers. 
The induction principle is logically equivalent to the usual zero-successor-induction on N: 
if X{0) (base) and \/x{X{x) — > X{x + 1)) (step), then Vx € NX(x). Strong induction 
weakens the step by restricting x to the natural numbers: Vx € N {X{x) — )■ X{x + 1)). 

Example 2.2 (signed digits and the interval [—1,1]). For every signed digit d S SD 
we set Id := [d/2 - 1/2, d/2 + 1/2] = {x € M | |x - d/2\ < 1/2}. Note that I is the union 
of the Ifi and every sub interval of I of length < 1/2 is contained in some I^. We define an 
operator Jo : 7^(M) ^ V(R) by 



ilX QY, then <^{X) C $(y) 



^ :^ VX C U^{X) C ^{X) 



Fixed point 
Monotonicity 
Induction 
Strong induction 
Coinduction 
Strong coinduction 



$(//(!)) = ^<I) and <I>(j/<I>) = u^. 

ii ^ Q^, then ^$ C fj,^ and i^^ C z^vj/. 

if $(X) C X, then /i$ C X. 

if $(X n n^) C X, then fi^ C X. 

if X C $(X), then X C 

if X C $(X U u^), then X C u^. 



Jo{X) := {x \ 3d e SD {x eld r\2x - d e X)} 
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and set Co := i^JTo- Since clearly I C Jo{I), it follows, by coinduction, that I C Co- On the 
other hand Co C I, by the fixed point property. Hence Co = I- The point of this definition 
is, that the proof of "I C ^o(I)" li^^s an interesting computational content: x € I must be 
given in such a way that it is possible to find d £ SD such that x € I^^. This means that d/2 
is a first approximation of x. The computational content of the proof of "I C Co", roughly 
speaking, iterates the process of finding approximations to x ad infinitum, i. e. it computes 
a signed digit representation of x as explained in the introduction, that is, a stream a of 
signed digits with cr{a) = x. This will be made precise in Lemma 13.21 (Sect. U]). 

Example 2.3 (lists, streams and trees). Let the Scott-domain D be defined by the 
recursive domain equation D = 1 + D x D where 1 := {_L} is a one point domain and "+" 
denotes the separated sum of domains (see |20] for information on domains) . The elements 
of D are _L (the obligatory least element). Nil := Left(_L), and Cons(x,y) := Right(x,y) 
where x,y £ D. Define $ : ViD) V{D) V{D) by 

^{X){Y) := {Nil} U {Cons(x,y) \ x£X,y£Y] 

Clearly, $ is monotone in both arguments. For a fixed set X C L), List(X) := /i($(X)) 
(= ^Y.^{X){Y)) can be viewed as the set oi finite lists of elements in X, and Stream(X) := 
v{^{X)) (= vY.^{X){Y)) as the set oi finite or infinite lists or streams of elements in X. 
Since // is monotone the operator List : V{D) — )• V{D) is again monotone. Hence we 
can define Tree := i/List C D which is the set of finitely branching wellfounded or non- 
wellfounded trees. On the other hand, Tree' := /iStream consist of all finitely or infinitely 
branching wellfounded trees. The point of this example is that the definition of Tree is 
similar to the characterization of uniformly continuous functions from I" to I in Sect. HI the 
similarity being the fact that it is a coinductive definition with an inductive definition in its 
body. The set Co of the previous example corresponds to the case n = where the inner 
inductive definition is trivial. 

Formalization We now sketch the formal system for reasoning about inductive and coin- 
ductive definitions (a full account is given in [71[10]). Since we only consider (co)inductive 
definitions of subsets of a given "universal set" we can work in a many-sorted first-order 
predicate logic with free predicate variables extended by the possibility to form for a pred- 
icate V which is strictly positive (s.p.) in a predicate variable X the predicates fiX.V and 
vX.V denoting the least and greatest fixed points of the monotone set operator defined by 
V. For example, V could be given as a comprehension term {x | A(x,X)} where A{x,X) is 
a formula which is s.p. in X. The formula A{x,X) may have further free object and pred- 
icate variables. "Nested" inductions/coinductions such as uX.fiY.{x \ A{x, X,Y)}, where 
A{x,X,Y) is strictly positive in X and Y, are allowed. Hence the second example above 
can be formalized. As a proof calculus we use intuitionistic natural deduction with axioms 
expressing (co)closure and (co)induction for (co) inductively defined predicates. Further ax- 
ioms describing the mathematical structures under consideration can be freely added as 
long as (we know that) they are true and do not contain disjunctions. The latter restriction 
ensures that these "ad-hoc axioms" have no computational content, as will be explained in 
Sect. El Note that, for example, the formula Vx G N3y G N (y^ < x < (y + 1)^) does have 
computational content since the definition of the predicate N, given in the first example, 
contains a disjunction. Hence, although true, this formula must not be used as an axiom, 
but needs to be proven. 
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In the first example object variables are of sort R while in the second example they are of 
sort D (hence M and D are the "universal sets" ) . The second example shows how data struc- 
tures which normally would be defined as initial algebras or final coalgebras of endofunctors 
on the category of sets can be introduced in our system. The domain-theoretic modelling 
has the further advantage that partial objects (e.g. lists or trees with possibly undefined 
nodes and leaves) can be described and reasoned about as well, without extra effort. We be- 
lieve that, by restricting ourselves to categories which are just powersets, partially ordered 
by inclusion, the constructions become easier to understand for non-category-theorists, and 
the formal system sketched above is simpler than one describing initial algebras and final 
coalgebras of functors in general. 



In this section we briefly explain how we extract programs from proofs. Rather than giving 
technical definitions we only sketch the formal framework and explain the extraction method 
by means of simple examples, which hopefully provide a good intuition also for non-experts. 
More details and full correctness proofs can be found in [7] and |10j . 

The method of program extraction we are using is based on an extension and variation 
of Kreisel's modified realizability |26| . The extension concerns the addition of inductive and 
coinductive predicates. Realizability for such predicates has been studied previously, in the 
slightly different context of q-realizability by Tatsuta [36]. The variation concerns the fact 
that we are treating the first-order part of the language (i. e. quantification over individuals) 
in a 'uniform' way, that is, realizers do not depend on the individuals quantified over. This 
is similar to the common uniform treatment of second-order variables [37]. The argument 
is that an arbitrary subset of a set is such an abstract (and even vague) entity so that one 
should not expect an algorithm to depend on it. With a similar argument one may say 
that individuals of an abstract mathematical structure (M, model of set-theory, etc.) are 
unsuitable as inputs for programs. Hence, a realizer of a formula Vx A{x) is an object a 
such that a realizes A(x) for all x where a does not depend on x. A realizer of a formula 
3x A{x) is an object a such that a realizes A{x) for some x. Note that the witness x is not 
part of the realizer a. But which data should a program then depend on and which should 
it produce? The answer is: data defined by the 'propositional skeletons' of formulas and 
'canonical' proofs. 

Example (parity) Let us extract a program from a proof of 



where the variable x ranges over real numbers and the predicate N is defined as in the 
example in Sect. [21 i. e. 



The type corresponding to ()3.2p is obtained by the following type extraction: 

• replace every atomic formula of the form X{t) by a type variable a associated with the 
predicate variable X, 

• replace other atomic formulas by the unit or 'void' type 1, 

• delete all quantifiers and object terms (i. o. w. remove all first-order parts), 

• replace V by -|- (disjoint sum) and A by x (cartesian product), 

• carry out obvious simplifications (e.g. replace a x 1 by a). 



3. Program extraction from proofs 




(3.1) 



N := /iX{x I X = V 3y {X{y) ^x = y+l)] 



(3.2) 
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Hence we arrive at the type definition 

Nat := na.l + a 

In Haskell we can define this type as 
data Nat = Zero | Succ Nat — data 

deriving Show 

The line "deriving Show" creates a default printing method for values of type Nat. The 
comment " — data" indicates that we intend to use the recursive data type Nat as an 
inductive data type (or initial algebra). This means that the '"total", or "legal" ele- 
ments are inductively generated from Zero and Succ. The natural (domain-theoretic) 
semantics of Nat also contains, for example, an "infinite" element defined recursively by 
infty = Succ infty which is not total in the inductive interpretation of Nat. In a coin- 
ductive interpretation (usually indicated by the comment — codata) infty would count 
as totalQ 

By applying type extraction to ()3.ip we see that a program extracted from a proof of 
this formula will have type Nat ^1 + 1. By identifying the two-element type 1 + 1 with 
the Booleans we get the Haskell signature 
parity : : Nat -> Bool 

The definition of parity can be extracted from the obvious inductive proof of (|3.ip : For 
the base, x = 0, we take y = to get x = 2y. In the step, x + 1, we have, by i. h. some y 
with X = 2yVx = 2y + l. In the first case x + 1 = 2y + l, in the second case x + 1 = 2(y + l). 
The Haskell program extracted from this proof is 
parity Zero = True 

parity (Succ x) = case parity x of {True -> False ; False -> True} 

If we wish to compute not only the parity, but as well the rounded down half of x (i. e. 
quotient and remainder), we just need to relativize the quantifier 3y in (13. ip to N (i. e. 
Vx (N(x) =^ 3y (N(y) A (x = 2y V x = 2?/ + 1))) and use in the proof the fact that N is closed 
under the successor operation. The extracted program is then 
parityl :: Nat -> (Nat, Bool) 
parityl Zero = (Zero, True) 
parityl (Succ x) = case parityl x of 

{(y.True) -> (y, False) ; 
(y, False) -> (Succ y,True)]- 

In order to try these programs out it is convenient to have a function that transforms built-in 
integers into elements of Nat . 

iN : : Integer -> Nat — defined for non-negative integers only 

iN = Zero 

iN (n+1) = Succ (iN n) 

Now try parity (iN 7) and parityl (iN 7). 

The examples above show that we can get meaningful computational content despite 
ignoring the first-order part of a proof. Moreover, we can fine-tune the amount of com- 
putational information we extract from a proof by simple modifications of formulas and 
proofs. Note also that we used arithmetic operations on the reals and their arithmetic laws 



That Haskell does not distinguish between the inductive and the coinductive interpretation is justified 
by the limit-colimit-coincidence in the domain-theoretic semantics [1]. 



FROM COINDUCTIVE PROOFS TO EXACT REAL ARITHMETIC: THEORY AND APPLICATIONS 7 



without implementing or proving them. Since these laws can be written as equations (or 
conditional equations) their associated type is void. This ensures that it is only their truth 
that matters, allowing us to treat them as ad-hoc axioms without bothering to derive them 
from basic axioms. In general, a formula containing neither disjunctions nor free predicate 
variables has always a void type and can therefore be taken as an axiom as long as it is 
true. 

The reader might be puzzled by the fact that quantifiers are ignored in the program 
extraction process. Quantifiers are, of course, not ignored in the specification of the ex- 
tracted program, i. e. in the definition of realizability. For example, the statement that the 
program p :=parity realizes (j3.ip is expressed by 

Vn, X {nr N(x) =^ 3y {p{n) = True A x = 2y V p{n) = False A x = 2y -|- 1)) 

where n ranges over Nat (i. e. Zero, Succ Zero, Succ(Succ Zero), ...) and nrN(x) 
means that n realizes N(x) which in this case amounts to x being the value of n in R. The 
Soundness Theorem for realizability states that the program extracted from a proof realizes 
the proven formula (cf. |10] : see also e.g. [37j, [36] for proofs of soundness for related notions 
of realizability). 

Remark. Although the example above seems to suggest that realizers are typed, it is in fact 
more convenient to work with per se untyped realizers taken from a domain D which is 
defined by the recursive domain equation 

D = l + D + D + DxD + [D^D] 

{[D —7- D] denotes the domain of continuous endofunctions on D). It is well-known that 
such domain equations of "mixed variance" have effective solutions up to isomorphism (see 
e.g. [20]). Type expressions 1, a, /) -|- a, /) x cj, p — >• cr, ^a.p, ua.p with suitable positivity 
conditions for fixed point types can naturally be interpreted as subsets of d3 Realizers 
extracted from proofs are terms of an untyped A-calculus with constructors and recursion 
which denote elements of D. It can be shown that the value of a program extracted from a 
proof of a formula A lies in the denotation of the type extracted from A [10] . One can also 
show that the denotational and operational semantics "match" (computational adequacy). 
This implies that extracted programs are correct, both in a denotational and operational 
sense |7]. Note that in general a realizing term denotes an element of D, but not an element 
of the mathematical structure the proof is about. It is just by coincidence that in the 
example above the closed terms of type Nat denote at the same time elements of D and 
real numbers, and that both denotations are in a one-to-one correspondence. In the case of 
the predicate Co defined below (and even more so for the predicates defined in Sect. H]) 
there is no such tight correspondence between objects satisfying a predicate and realizers 
of that fact. 

Example 3.1 (from Cauchy sequences to signed digit streams). In the second 
example of Sect. [2] we defined the set Co coinductively by 

Co = vX.{x I 3d (SD(d) A ld{x) A X{2x - d))} (3.3) 



In fact, general recursive types reca . p without positivity restriction have a natural semantics in D as 
(ranges of) finitary projections [3]. 
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Since SD((i) is shorthand for d = —1 V(i = OVd = 1, and Id{x) is shorthand for \x — d/2\ < 
1/2, the corresponding type is 

CO = i/a.(l + 1 + 1) X a (3.4) 
Identifying notationahy the type 1 + 1 + 1 with SD 

data SD = N | Z | P — Negative, Zero, Positive 
deriving Show 

we obtain that CO is the type of infinite streams of signed digits, i. e. the largest fixed point 

of the type operator 

type JO alpha = (SD, alpha) 

This corresponds to the set operator j7o which Co is the largest fixed point of. Therefore 
we define (choosing ConsCO as constructor name) 
data CO = ConsCO (JO CO) — codata 
i. e. CO = ConsCO (SD,CO). 

We wish to extract a program that computes a signed digit representation of x G I from 
a fast rational Cauchy sequence converging to x and vice versa. Set 

Q(x) := 3n,m, /c (N(n) A N(m) A N(A;) A X = (n - m)/A;) 

A{x) := Vn(N(n)^3g(Q(g)A|x-g[ <2-")) 

Constructively, A{x) means that there is a fast Cauchy sequence of rational numbers con- 
verging to X. Technically, this is expressed by the fact that the realizers of A{x) are precisely 
such sequences. On the other hand, realizers of Co(x) are exactly the infinite streams of 
signed digits a such that cr{a) = x In general, realizability for inductive resp. coinduc- 
tive predicates is defined in a straightforward way, again as an inductive resp. coinductive 
definition (see [71[TU] for details). 

Lemma 3.2. 

Vx(I(x) A^(x) 4^ Co(x)) (3.5) 

Proof. To prove the implication from left to right we show I PI j4 C Cq by coinduction, i. 
e. we show In A C j7o(I H A). Assume I(x) and A{x). We have to show (constructively!) 
J'o{Ir\A){x), i. e. we need to find d G SD such that x G 1^ and 2x — d & In A. Since, clearly 
the assumption A(x) implies A{2x — d) for any d G SD, and furthermore x G holds iff' 
2x — d G I, we only need to find some signed digit d such that x G I^. The assumption 
A{x), used with n = 2, yields a rational number q with |x — (7I < 1/4. It is easy to find 
(constructively!) a signed digit d such that [q — 1/4:, q + 1/4] PI I C I^. For that d we have 
X G Id. 

For the converse implication we show Vn (N(n) =^ Vx (Co(x) => 3q {Q{q)/\\x—q\ < 2"")) 
by induction on N(n) using the coclosure axiom for Cq. We leave the details as an exercise 
for the reader. □ 

The type corresponding to the predicate Q is Nat x Nat x Nat, which we however im- 
plement by Haskell's built-in rationals, since it is only the arithmetic operations on rational 
numbers that matter, whatever the representation. (It is possible - and instructive as an 
exercise - to extract implementations of the arithmetic operations on rational numbers w.r.t. 
the representation Nat x Nat x Nat from proofs that Q is closed under these operations. In 
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order to obtain reasonably efficient programs one has to modify the definition of Q by re- 
quiring n — m and k to be relatively prime.) The type of the predicate A is Nat — ?> Rational. 
The program extracted from the first part of the proof of Lemma 13.21 is 
cauchy2sd : : (Nat -> Rational) -> CO 
cauchy2sd = coitCO step 

where step is the program extracted from the proof of I n A C j7o(II H 
step :: (Nat -> Rational) -> JO(Nat -> Rational) 
step f = (d,fO where 
q = f (Succ (Succ Zero)) 

d = if q > 1/4 then P else if abs q <= 1/4 then Z else N 
f n = 2 * f (Succ n) - fromSD d 

fromSD : : SD -> Rational 

fromSD d = case d of {N -> -1 ; Z -> ; P -> 1> 

The program coitCO is a polymorphic "coiterator" realizing the coinduction scheme X C 
Jo{X) ^XC vJq: 

coitCO : : (alpha -> JO alpha) -> alpha -> CO 
coitCO s X = ConsCO (mapJO (coitCO s) (s x) ) 

mapJO : : (alpha -> beta) -> JO alpha -> JO beta 

map JO f (d,x) = (d,f x) 

An equivalent definition of coitCO would be 

coitCO' s X = ConsCO (d, coitCO' s y) where (d,y) = s x 
The program extracted from the second part of the proof of Lemma 13.21 is 
sd2cauchy : : CO -> (Nat -> Rational) 
sd2cauchy c n = aux n c where 
aux Zero c = 

aux (Succ n) (ConsCO (d,c)) = (fromSD d + aux n c)/2 
In order to try out the programs cauchy2sd and sd2cauchy it is convenient to have trans- 
lations between the types CO and Haskell's type of infinite streams of signed digits (below, 
":" is the cons operation for lists). 
cOs : : CO -> [SD] 
cOs (ConsCO (d,c)) = d : cOs c 

SCO : : [SD] -> CO 

scO (d:ds) = ConsCO (d,scO ds) 

Now evaluate let {f x = 2/3} in take 10 (cOs (cauchy2sd f)) and 

let {ds = P:Z:ds> in [sd2cauchy (scO ds) (iN n) | n <- [0..9]] 

(ds is the infinite list [P,Z,P,Z, . . .] and [e(n) | n <- [0. .9]] is a list comprehension 

expression denoting [e(0) , . . . ,e(n)]). 

We hope that the examples above give enough hints for understanding program extrac- 
tion from coinductive proofs. Here is a sketch of how it works in general. Suppose is a 
coinductive predicate defined by a strictly positive set operator <^ (jTo in our example), e.g. 
$(X) = {x I A{X^ x)} where A is s.p. in X. From <I> one extracts a s.p. type operator 
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data Phi alpha = PhiDef (alpha) — to be replaced by a suitable 

— extracted type definition 

(JO in our example). Due to the strict positivity of Phi one can define, by structural 

recursion on the definition of Phi alpha, a polymorphic map operation 

mapPhi : : (alpha -> beta) -> Phi alpha -> Phi beta 

mapPhi = undefined — to be replaced by an extracted program 

and from that, recursively, the colter ator 

coitFix : : (alpha -> Phi alpha) -> alpha -> Fix 

coitFix s X = ConsFix (mapPhi (coitFix s) (s x)) 

where Fix is the largest fixed point of Phi: 

data Fix = ConsFix (Phi Fix) — codata 

The program extracted from a coinductive proof of X C i/^ is coitFix step where 
step : : alpha -> Phi alpha is the program extracted from the proof of X C ^{X) 
(alpha is the type corresponding to the predicate X). For inductive proofs the construc- 
tion is similar: One defines recursively an "iterator" 
itFix : : (Phi alpha -> alpha) -> Fix -> alpha 
itFix s (ConsFix z) = s (mapPhi (itFix s) z) 

where the type Fix is now viewed as the least fixed point of Phi. The program extracted from 
an inductive proof of C X is now itFix step where step : : Phi alpha -> alpha 
is extracted from the proof of ^(X) C X. It is a useful exercise to re-program the data 
type Nat and the iteratively defined functions parity, parityl and sd2cauchy following 
strictly this general scheme. The above sketched computational interpretations of induction 
and coinduction and more general recursive schemes can be derived from category-theoretic 
considerations using the initial algebra/final coalgebra interpretation of least and greatest 
fixed points (see for example [28 | [23 | [2l [15]). 



4. Coinductive definition of uniform continuity 

For every n we define a set Q for which we will in Sect. [5] show that it coincides 
with the set of uniformly continuous functions from I" to I. 

In the following we let n, m, k, I, i range over N, p, q over Q, x, y, z over M, and d, e over 
SD. Hence, for example, 3dA{d) is shorthand for 3d {SD{d) AA{d)) and /\^ A{d) abbreviates 
A{—1) A A{0) A ^(1). We define average functions and their inverses 

, , X + d 
avrf : M ^ M, avrf(x) := 

va^ : M M, vad{x) := 2x — d 

Note that av^[I] = and hence /[I] C iff (va^ o /)[I] C I. We also need extensions of the 
average functions to n-tuples 

'^^i,di'^l 1 • • • 1 , 2^1+1 , . . . , Xji) . — (^^l, • • • SV dl^Xi) , Xi-i-l , . . . , Xji) 

We define an operator /C„ : V(M^'") V{R^" ) P(M^") by 

ICn{X){Y) := {/ I 3d (/n C Irf A X{Yad o /)) y 3t /\ Y{f o av,,^)} 

d 
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Since /Cn is strictly positive in both arguments, we can define an operator Jn : ^(M ) — )■ 
P(Mi") by 

JniX) := ll{lCn{X)) = iiY.lCn{X){Y) 
Hence, Jn{X) is the set inductively defined by the following two rules: 

3d(/[r] CIrfAX(vado/)) (4.1) 

3l l\ Jn{X){f o av,,rf) ^ Jn{X){f) (4.2) 
d 

Since, as mentioned in Sect. [2l the operation ^ is monotone, J^n is monotone as well. 
Therefore, we can define C„ as the largest fixed point of J7n, 

Cn = yJn = vX.^lYXn{X){Y) (4.3) 

Note that for n = the second argument Y of /C„ becomes a dummy variable, and therefore 
Jo and Co are the same as in the corresponding example in Sect. [21 Note also that if / € C^, 
then /[r] C Irf C I for some d G SD since C„ = ^y./C„(C„)(y) = /C„(C„)(C„). 

The type corresponding to the formula lCn{X){Y) is (/?„(a)(/3) := SD x a + N„ x 
where := {l,...,n}. Therefore, the type of Jn{X) is ///3.SD x q + N„ x which is 
the type of finite ternary trees with indices i G N„ attached to the inner nodes and pairs 
{d, x) S SD X a attached to the leaves. Consequently, the type of C^ is 

zya.^/3.SD X a + N„ X (4.4) 

This is the type of non-wellfounded trees obtained by infinitely often stacking the finite trees 
on top of each other, i. e. replacing in a finite tree each x in a leaf by another finite tree 
and repeating the process in the substituted trees ad infinitum. Alternatively, the elements 
of ()4.4p can be described as non-wellfounded trees without leaves such that 

— each node is either a 

writing node labelled with a signed digit and with one subtree, or a 
reading node labelled with an index i G and with three subtrees; 

— each path has infinitely many writing nodes. 

The interpretation of such a tree as a stream transformer is easy. Given n signed digit 
streams ai,...,a„ as inputs, run through the tree and output a signed digit stream as 
follows: 

1. At a writing node {d,t) output d and continue with the subtree t. 

2. At a reading node (i, {td)d&SD) continue with td, where d is the head of Oj, and replace 
Oi by its tail. 

Fig. [1] shows an initial segment of a tree representing the function 

/:I^I, /(x) = ^(l-x2)-l 

which is an instance of the family of logistic maps discussed in Sect. [5l In order to "run" 
this tree with an input stream of signed digits, we follow the path determined by the input 
digits. N, Z or P in the input stream means: go at a branching point left, middle or right. The 
digits met on this path form the output stream. For example, the input stream Z : Z : Z : Z : . . . 
(representing the number 0) leads us along the spine of the tree and results in the output 
stream N:Z;P:Z:P:Z:... (representing ^ + | + ^ + --- = ^ + g = -| = /(O)) while 
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the input stream P:Z:Z:Z: . . . (representing the number ^) results in the output stream 
N:Z;Z:Z: . . . (representing -i = /(|)). 

The above informahy described interpretation of the elements of Cn as stream trans- 
formers is the extracted program of a special case of Proposition 14.21 below which shows 
that the predicates C„ are closed under composition. The following lemma is needed in its 
proof. 

Lemma 4.1. //C„(/), then C„(/oavi_d). 
Proof. We fix i G {1, . . . , n} and d € SD and set 

D:={foavi,d I C„(/)} 
We show D C by strong coinduction, i. e. we show D O J'^^DU C„), i. e. C„ C E where 

E ■.= {/] Jn(I)UC„)(/oavi,rf)} 

Since C„, = i7n(C„) it suffices to show J'„(C„) C E. We prove this by strong induction on 
„), i. e. we show ICn{Cn){E n J^n{Cn)) C E. Induction base: Assume /[I"] ^ I^/ and 
Cn(varf/ o /). We need to show E{f), i. e. Jn{D U Cn)(/ o avj d)- By (14. ip it suffices to show 
(/oav,,rf)[r] C I^, and (Z)UC„)(varf,o/oav,,rf). We have (/oav,,rf)[r] = /[avi,rf[r]] C /[r] C 
Irf'. Furthermore, D{vad' o f o^Vi,d) holds by the assumption C„(varf/ of) and the definition 
of D. Induction step: Assume, as strong induction hypothesis, /\d'{EriJ'n{Cn)){fosLVi',d')- 
We have to show E{f), i. e. Jn{D U C„)(/ o avj^^). If i' = i, then the strong induction 
hypothesis implies Jn{Cn){f ° avj^rf) which, by the monotonicity of JT™, in turn implies 
Jn{D U C„)(/ o avj^rf). If i' 7^ z, then /\^, avj/^^/ o aVj ,i = mi^d ° and therefore, since 



The M^rjXcode for the display of the tree was generated automatically from a term denoting this tree 
which in turn was extracted from a formal proof that the function / lies in Ci. 
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the strong induction hypothesis imphes E{f oavi/^d'), we have /\^, Jn{DUCn){f 
avj/^rf/). By g2]) this imphes Jn{D U C„)(/ o avi^rf). □ 

Proposition 4.2. Consider /: I" M and gi'.V^ — > M, for i = 1, . . . ,n. If and 

Cmigi), ■ ■ ■,Cmign), then Cmif o (Ol, ■ ■ ■ , Qn)) ■ 

Proof. We prove the proposition by coinduction, i. e. we set 

:={/ o (51, ...,£/„) I C„(/), Cm(gi), Cm{gn)} 

and show that D C J'.^(^D), i. e. C,i C E where 

E:={fe M}" I ygiC^ig) ^ j;„p)(/ o g))} 

and Cm(5) := Cm(5ri) A ... A Cm(g„). Since C„ = J„(C„) it suffices to show Jn(Cn) C 
We do an induction on J'n{Cn), i. e. we show }Cn{Cn){E) C E. Induction base: Assume 
f[r] C la, C„(vad o /) and C^(g). We have to show Jm{D){f o g)). By (gl]) it suffices 
to show (/ o C and -D(vad o f o g). The first statement holds since g\J^] C I, 

the second holds by the definition of D and the assumption. Induction step: Assume, as 
induction hypothesis, /\aE{f o avi^a)- We have to show E(f) , i. e. Cm ^ E where 

E:={ge \yg{g = giA Cm{g) ^ Jm{D){f o g))] 

Since Cm ^ Jm{Cm) it suffices to show Jm{Cm) ^ E which we do by a side induction 
on Jm, i. e. we show K.m{Cm){E) C E. Side induction base: Assume ffp™"] C and 
Cm(varf o ^f) and Cm{g) where g = gi. We have to show Jm{D){f o g). Let (f be obtained 
from g by replacing gi with va(i o Since Cmiff), we have Jm{D){f o avj^^ o by the 
main induction hypothesis. But avi^d ° if = 9- Side induction step: Assume /\^ E{g o avj^d) 
(side induction hypothesis). We have to show E{g). Assume Cm{g) where g = gi. We have 
to show Jm[E))[f o g). By (14. 2p it suffices to show Jm[E))[f o go avj^d) for all d. Since the 
i-th element of avj^d is go avj^d and, by Lemma ICT Cm (5 o avj^^), we can apply the side 
induction hypothesis. □ 

The program extracted from Prop. 14.21 composes trees. The cases m = and n = 1 
are of particular interest. If m = 0, then the program interprets a tree in C„ as an n- 
ary stream transformer. In the proof the functions g are then just real numbers, and 
composition, fog, becomes function application, f{g). Furthermore, the side induction 
step disappears. If n = 1, then the vectors g consist of only one function g and E simplifies 
to {g G M"" I Jm{E>){f o g)} . Furthermore, the side induction step does not need Lemma l4?T] 
anymore and becomes almost trivial. We show the programs for the cases n = 1, m = and 
n = m = 1. We use the following auxiliary programs extracted from a proof of the formula 
(X(-l) A X(0) A X{1)) ^ ydx{d). 
type Triple alpha = (alpha, alpha, alpha) 

appTriple : : Triple alpha -> SD -> alpha 

appTriple (xN,xZ,xP) d = case d of {N -> xN ; Z -> xZ ; P -> xP> 

abstTriple : : (SD -> alpha) -> Triple alpha 
abstTriple f = (f N, f Z, f P) 

The data types associated with the operators /Ci, J'l and the predicate Ci as well as their 
associated map functions and (co) iterators are 
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data Kl alpha beta = Wl SD alpha | Rl (Triple beta) 

mapKl :: (alpha -> alpha') -> (beta -> beta') -> 

Kl alpha beta -> Kl alpha' beta' 
mapKl f g (Wl d a) = Wl d (f a) 
mapKl f g (Rl (bN,bZ,bP)) = Rl (g bN,g bZ,g bP) 

data Jl alpha = ConsJl (Kl alpha (Jl alpha)) — data 

itJl : : (Kl alpha beta -> beta) -> Jl alpha -> beta 
itJl s (ConsJl z) = s (mapKl id (itJl s) z) 

mapJl :: (alpha -> alpha') -> Jl alpha -> Jl alpha' 
mapJl f (ConsJl x) = ConsJl (mapKl f (mapJl f) x) 

data CI = ConsCl (Jl CI) ~ codata 

coitCl : : (alpha -> Jl alpha) -> alpha -> CI 
coitCl s X = ConsCl (mapJl (coitCl s) (s x) ) 

Now, the extracted programs of Proposition 14. 2[ Case n = l,m = 0: 
appC : : CI -> CO -> CO 

appC c ds = coitCO costep (c,ds) where 

costep :: (CI, CO) -> JO (CI, CO) 
costep (ConsCl x,ds) = aux x ds 

aux :: Jl CI -> CO -> JO (CI, CO) 
aux = itJl step 

step :: Kl CI (CO -> JO (CI, CO)) -> CO -> JO (CI, CO) 

step (Wl d c') ds = (d,(c',ds)) 

step (Rl es) (ConsCO (dO,ds')) = appTriple es dO ds' 

Case n = m = 1: 

compCl : : CI -> CI -> CI 

compCl cl c2 = coitCl costep (cl,c2) where 

costep :: (C1,C1) -> Jl (C1,C1) 
costep (ConsCl xl,c2) = aux xl c2 

aux :: Jl Cl -> Cl -> J1(C1,C1) 
aux = itJl step 

step :: Kl Cl (Cl -> Jl (C1,C1)) -> Cl -> Jl (C1,C1) 
step (Wl dl cl') c2 = ConsJl (Wl dl (cl',c2)) 

step (Rl es) (ConsCl x2) = subaux x2 where 
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subaux :: Jl CI -> Jl (CI, CI) 
subaux = itJl substep 



substep :: Kl CI (Jl (CI, CI)) -> Jl (CI, CI) 
substep (Wl d2 c2 = appTriple es d2 c2' 
substep (Rl fs) = ConsJl (Rl fs) 

Remark. The cases shown above are also treated in |21j (without apphcation to exact real 
number computation). Whereas in [21] the program was 'guessed' and then verified, we are 
able to extract the program from a proof making verification unnecessary. Of course, one 
could reduce Proposition 14.21 to the case m = n = 1, by coding n streams of single digits 
into one stream of n-tuples of digits. But this would lead to less efficient programs, since 
it would mean that in each reading step all inputs are read, even those that might not be 
needed (for example, the function f{x,y) = x/2 + y/lOO certainly should read x more often 
than y). 

Remark. Note that the realizability relation connecting real functions satisfying Ci and trees 
in the type CI is much less tight than it was in the case of natural numbers (where realiz- 
ability provided a one-to-one correspondence between real numbers satisfying the predicate 
N and elements of the type Nat). Although, by coincidence, every element of the type CI 
defines, via the program appC a stream transformer, this stream transformer will in general 
not correspond to a real function, i. e. it will not necessarily respect equality of reals rep- 
resented by signed digit streams. The latter is the case only if the tree happens to realize 
a function / (which is of course the case if the tree was extracted from a proof of Ci(/)). 
Moreover, a tree can realize Ci(/) for different / because the predicate Ci says nothing 
about the behaviour of functions outside the interval I. 

In order to try out the programs appC and compCl one needs examples of elements of 
the type CI. Such examples will be provided in the next section. 



5. WELLFOUNDED INDUCTION AND DIGITAL SYSTEMS 

Now we study the principle of induction along a wellfounded relation from the perspective 
of program extraction. As an important application we show that certain families of real 
functions which we call digital systems are contained in C„. This provides a convenient tool 
for proving that certain functions, for example polynomials and, more generally, uniformly 
continuous functions on I" are in Cn, and in turn allows us to extract implementations for 
these functions. 

Wellfounded induction Let U he a set, A a subset of U and < a binary relation on U. 
Define a monotone operator <1> : V{U) — > V{U) (depending on A and <) by 

^{X) := {x\\/y £ A(y < x ^y £ X)} 

The relation < is called wellfounded on A, WfA(<), if vl C fj.^. A set X C [/ is called 
<-progressive on A, Prog^(<, X), if $(X) n ^ C X. The principle of wellfounded induction 
(on A along < atX), WfIndA(<,X), is 

Prog^(<,X)^^CX 

For the purpose of program extraction let us assume that the partial order x < y is defined 
without using disjunctions and hence has no computational content. For example, the 
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definition could be an equation t{x,y) = for some term t(x,y). The following program 
realizes wellfounded induction for provably wellfounded relations (alpha and beta are the 
types of realizers of A and X, respectively): 

wfrec :: ((alpha -> beta) -> alpha -> beta) -> alpha -> beta 
wfrec prog = h where h = prog h 

Proposition 5.1. //WfA(<) is provable, then free reafces Wflnd^(<, X). 

The proof of Prop. 15.11 is beyond the scope of this introductory paper and will be given in 
a subsequent publication. 

Remark. One can easily prove WfA(<) =^ WfIndyi(<,X) from the induction principle for 
/i<I> and extract a program computing a realizer of WfIndyi(<,X) from a realizer of Wfyi(<). 
The point is, that our realizer of WfIndA(<, ^) does not depend on a realizer of WfA(<). 

Remark. In |32] a Dialectica Interpretation of a different form of wellfounded induction is 
given. There, the realizing program refers to a decision procedure for the given wellfounded 
relation. 

Digital systems Let {A, <) be a provably wellfounded relation. A digital system is a 
family J- = (fx ■ I" ^)x£A such that for all x G j4 

3(i (/x[r] CIaA3y£Afy = vadofx)V3if\3y£A{y<xAfy = fxO avi,^) 

d 

When convenient we identify the family T with the set {fx \ x G A}. 

Remark. The definition of a digital system makes reference to the (undecidable) equality 
relation between real functions. This is not a problem because, as explained in Section [21 it 
is not necessary for the mathematical objects and predicates to be constructively given. It 
is enough to be able to formulate the necessary axioms without using disjunctions (which 
is the case for the usual axioms for equality between functions). 

Proposition 5.2. If is a digital system, then T C C„. 

Proof. Let J-" be a digital system. We show C C„ by coinduction. Hence, we have to 
show Jn{^){fx) for all x ^ A. But, looking at the definition of Jn(T) and the properties 
of a digital system, this follows immediately by wellfounded <-induction on x. □ 

We can extract a program from the proof of Prop. 15.21 that transforms a (realization 
of) a digital system into a family of trees realizing its members (case n = 1): 

digitsysl : : (alpha -> Either (SD, alpha) (Triple alpha)) 

-> alpha -> CI 
digitsysl s = coitCl (wfrec prog) where 

— prog : : (alpha -> Jl alpha) -> alpha -> Jl alpha 
prog ih X = 
case s X of 
{Left (d,a) -> ConsJl (Wl d a) ; 

Right (aN,aZ,aP) -> ConsJl (Rl (ih aN, ih aZ, ih aP))> 
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Example 5.3 (linear affine functions). For u,v £ Q""*"^ define : I" — >• M by 

fu,v{x) ■■= UiXi + . . . + UnXn + V 

Clearly, f^i^^lP] = [v — \u\,v + \u\] where \u\ := \ui\ + ... + |n„|. Hence /u,t>[II"] C I iff 
1^1 + < 1, and if \u\ < 1/4, then /t/^tip""] Q Id for some d. Furthermore, fu,v°^^i,d = fu',v' 
where u' is like u except that the i-th component is halved and v' = v + Uid/2. Hence, if i 
was chosen such that \ui\ > \u\/n, then \u'\ < q\u\ where q := 1 — l/(2n) < 1. Therefore, 
we set A := {u,v G Q"+-'^ | |m| + < 1} and define a wellfounded relation < on ^4 by 

u',v'<u,v ["lil > 1/4 A |n'| < glul 

From the above it follows that Poli^„ := {fii,v)u,v&A is a digital system. Hence Poli^„ C C„, 
by Proposition 15.21 Program extraction gives us a program that assigns to each tuple of 
rationals u,w £ A a. tree representation of f^^w Here is the program for the case n = 1: 
type Rat2 = (Rational , Rational) 

linCl : : Rat2 -> CI 

linCl = digitsysl s where 

s : : Rat2 -> Either (SD,Rat2) (Triple Rat2) 
s (u,v) = if abs u <= 1/4 

then let e = if v < -(1/4) then N else 
if V > 1/4 then P 
else Z 

in Left (e , (2*u, 2*v-f romSD e)) 
else Right (abstTriple (\d -> (u/2 ,u*f romSD d/2+v) ) ) 

In order to try this program out we introduce a utility function that applies a function 

/ : CO — )• CO to the signed digit representation of a rational number q and computes the 

result with precision 2~" as a rational number. 

runC : : (CO -> CO) -> Rational -> Integer -> Rational 

runC f q n = sd2cauchy (f (cauchy2sd (const q))) (iN n) 

Now we can compute, for example, the tree representation of the function f{x) = \x + ^ 
at the signed digit representation of the point x = ^ with an accuracy of 2"^^ by defining 
f : : CO -> CO 
f = appC (linCl (1/4,1/5)) 

and evaluating the expression runC f (1/3) 10 . The computed result, differs from 
the exact result, \x -\- ^ = ^,hy < 2^^^, as required. 

Remark 5.4. In [25J it is shown that the linear affine transformations are exactly the 
functions that can be represented by a finite automaton. The trees computed by our 
program generate these automata, simply because for the computation of the tree for ,j 
only finitely many other indices u',v' are used, and Haskell will construct the tree by 
connecting these indices by pointers. 

Example 5.5 (iterated logistic map). With a similar proof as for the linear affine maps 
one can show that all polynomials of degree 2 with rational coefficients mapping I to I are 
in Ci. The following program can be extracted. It takes three rational numbers u,v,w 
and computes a tree representation of the function fu,v,w{x) '■= ux"^ + vx + w, provided 
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fu,v,w maps I to L The programs quadWrite and quadRead compute the coefficients of the 
quadratic functions vag o fu^v,w and fu,v,w ° av^ while quadTest tests whether [I] ^ I^. 

Since a quadratic function may or may not have an extremal point in the interval I this test 
is more complicated than in the linear affine case, 
type Rat3 = (Rational, Rational, Rational) 

quadCl : : Rat3 -> CI 
quadCl = digit sy si s where 

s :: Rats -> Either (SD,Rat3) (Triple Rat3) 

s uvw = case (filter (quadTest uvw) [N,Z,P]) of 

(e:_) -> Left (e, quadWrite uvw e) 

[] -> Right (abstTriple (quadRead uvw)) 

quadWrite : : Rat3 -> SD -> Rat3 
quadWrite (u,v,w) e = (2*u , 2*v , 2*w - e') 
where e' = fromSD e 

quadRead : : Rat3 -> SD -> Rat3 

quadRead (u,v,w) d = (u/4 , (u*d'+v)/2 , u*d'"2/4 + v*d'/2 + w) 
where d' = fromSD d 

quadTest : : Rat3 -> SD -> Bool 

quadTest (u,v,w) e = (e'-l)/2 <= low && high <= (e'+l)/2 
where 
e' = fromSD e 

low = minimum crit — min (f_uvw I) 

high = maximum crit — max (f_uvw I) 

crit = [ u+v+w, u-v+w] ++ — [f_uvw 1, f_uvw (-1)] 

(if u == then [] 

else let x = -v/(2*u) — extremal point 

in if -1 <= X M X <= 1 

then [u*x"2 + v*x + w] — f_uvw x 
else []) 

In particular the so-called logistic map (transformed to I), defined by 

faix) = a(l - x^) - 1, 
is in Ci for each rational number a £ [0, 2] . 

ImaCl : : Rational -> CI 
ImaCl a = quadCl (-a,0,a-l) 

Exact computation of iterations of the logistic map were studied in |12j and |31j- In order 
to test the performance of our implementation with these maps we use a generalized expo- 
nentiation function that raises a value x to the power n (> 0) with respect to an arbitrary 
binary function g as "multiplication": 
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gexp : : (alpha -> alpha -> alpha) -> alpha -> Int -> alpha 
gexp g X 1 = X 

gexp g X (n+1) = g (gexp g x n) x 

Now we define a tree representing the 100-fold iteration of the logistic map /2 
tlOO : : CI 

tlOO = gexp compCl tl 100 where tl = ImaCl 2 

and evaluate runC (appC tlOO) 0.7 100 which means we compute /2'"^(0.7) with a 
precision 2-100. The result, 

1008550774065780194036545699607 

1267650600228229401496703205376 
(which is approximately 0.7956062765908836) is computed within a few seconds. Regard- 
ing efficiency, in general our experimental results compare well with those in [31] which 
are based on the binary signed digit representation as well. In addition, when one repeats 
the evaluation of the expression (appC tlOO) 0.7 100 the result is computed instantly 
because the relevant branch of the tree tlOO has been computed before and is now mem- 
oized. The memoization effect is still noticeable if one slightly changes the iteration index 
or the argument x. Note that the function /j*^^ is a polynomial of degree 2^'^'^ which os- 
cillates about 2^'^'' times in the interval I, and the exact value of /2'''^(0.7) is a rational 
number which has a (bit-)size > 2^'^''. Computing /2'^''(0.7) using double precision float- 
ing point arithmetic yields the completely wrong value —0.1571454279758806 (evaluate 
gexp (.) (\x-> 2*(l-x-2)-l) 100 0.7 :: Double). 

In [12j much higher iterations of logistic maps where computed (up to n = 100, 000) 
by exploiting specific information about these functions to fine-tune the program. Our 
program, however, was extracted from completely general proofs about polynomials and 
composability of arbitrary u. c. functions. 

An important application of digital systems is the following proof that the predicate 
C„ precisely captures uniform continuity. We work with the maximum norm on I" and set 
^sip) := {x € I" I Ix — p| < 6} for p G I". We also set Q := I n Q and let 5, e range over 
positive rational numbers. Furthermore, we set 

Box(5,e,/) :^ Vp- G 3g e Q {f[Bs{p)] C B,(g)) 

It is easy to see that / : I" ^ M is uniformly continuous with / [I"] C I iff 

Ve3(5Box((5,e,/) (5.1) 

Proposition 5.6. For any function /: I" — )■ M, C„(/) iff f is uniformly continuous and 

f[r] c L 

Proof. We have to show that C„(/) holds iff ()5.ip holds. 

For the "if" part we use Prop. 15.21 Let A be the set of triples (/, m,[di, . . . , dk]) such 
that / satisfies (|5.ip . Box(2~™', 1/4, /) holds, and di, . . . ,dk G SD with k < n (hence in the 
case n = 1 the list [di, . . . , d^] is always empty). Define a wellfounded relation < on ^ by 

{f',m', [d'l, . . . ,4,]) < {f,m, [di, . . . ,4]) '-^ m' < mV {m' = m A k' > k) 

For d = [di, . . . ,dk], where k < n, set avj- := scvi^di o ■ ■ ■ ° av^^^^, i. p. avp is the identity 
function. We show that := (/°av^)j.^^ jSj^^ is a digital system (this is sufficient, because 
/oav[] = /). 
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Let a := (/, m, [di, dk]) G A. 

Case m = 0, i. e. Box(l, 1/4, /). We show that the left disjunct in the definition of 
a digital system holds. We have /[F] = /[Bi(0)] C 61/4(9) for some q £ Q. If \q\ < 1/4, 
choose d := 0, if g > 1/4, choose d := 1, if q < —1/4 choose d := —1. Then clearly /[P] C I^, 
and g := va^ o / is uniformly continuous and maps I" into I. Hence (^f, m' , []) € A for some 
m'. 

Case m > 0. We show that the right disjunct in the definition of a digital system holds. 
Choose i := k + 1. Let d G SD. If + 1 < n, then /3 := (/, m,[di, . . . , dk,d]) < a and 
/ ° av[rf^,...,d^,rf] = (/ o av[rf^_...^rf^]) o avi^d- If A; + 1 = n, then for g := f o av[di,...,dk,d] ^^^^ 
(3 := {g,m — 1, []) G A because SLV^d^ d^ d] is a contraction with contraction factor 1/2. 
Clearly, j3 < a . Furthermore, 5 o avp = 5 = (/ o avj^^^... o avj^^. 

For the "only if" part we assume C„(/). Set 

i?fc:={/:r ^M[^5Box(5,2-^/)} 

For proving (jS.ip it obviously suffices to show V/c (/ G -Efc). Hence, it suffices to show 
Cn ^ -Efc for all k. We proceed by induction on k. 

Base, k = 0: Since Bi(0) = I, we clearly have Box(l,2'',/) for all / G C„. 

Step, /c — > /c + 1: Since C„ = Jn{Gn) it suffices to show Jn{Cn) ^ ^fc+i- We prove this 
by side induction on j7n(C„), i. e. we show /C„(C„)(£'fe+i) C E^j^i. Side induction base: 
Assume /[I"] C and C„(varf o /). By the main induction hypothesis, Box(5, 2"'^, va^^ o /) 
for some 5. Hence Box(5, 2"^*''+^) , /). Side induction step: Assume, as side induction 
hypothesis, Box(5^, 2~('^+^\ / o avj^^) for all d G SD. Setting 5 = min{5^ | d G SD}, we 
clearly have Box(5/2, 2-^^+'^^ J). □ 

Remark. Prop. [5T6l is mainly of theoretical value since it shows that the predicate Cn does 
not exclude any u. c. functions. From a practical perspective it is less useful, since, although 
the proof of the "if" direction computes a tree for every u. c. function /, this tree usually 
does not represent a very good algorithm for computing / because it follows the strategy 
to read all inputs if some input needs to be read (because in the proof the number m is 
decremented only ii k + 1 = n, i. e. all inputs have been read). Hence, for particular families 
of u. c. functions one should not use this proof, but rather design a special digital system 
that reads inputs only when necessary (as done in the case of the linear affine functions). 

6. Integration 

We prove that for functions / in Ci the integral Jf '■= J^i f = /^i/(3^)dx can be ap- 
proximated by rational numbers, and extract from the proof a program that computes the 
integral with any prescribed precision. For the formal proof we do not need to define what 
the (Riemann- or Lebesgue-) integral is; it suffices to know that the following equations 
hold. 

Lemma 6.1. (a) // = | f(y^d ° f) + d 
(b) // = i(/(/oav_i) + /(/oavi)). 

Proof, (a) /(vad o /) = j\ (2/(x) - d) dx = 2 J f - d J^.ldx = 2 J f - 2d. 

(b) By the substitution rule for integration f^^^l^]^\-j f = ^/^^(/oavrf). Therefore, 
// = /°i/ + /o/ = |/_'i(/°av-i) + i/^,(/oavT). □ 
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Proposition 6.2. //Ci(/), thenyk3p\ J f - p\ <2^-^. 
Proof. We show 

VfcV/(Ci(/)^3p| Jf-p\<2'-') 

by induction on k. 

k = 0: Since Ci(/) implies /[I] CI it follows that \ J f\ < 2. Hence we can take p := 0. 
k + 1: Ci(/) implies ^i(Ci)(/). Hence it suffices to show 

V/(Ji(Ci)(/)^3p| jf-p\<2-^) 

by a side induction on Ji(Ci)(/). If Ci(varf o /), then, by the main induction hypothesis, 
I /(varf o f) — p\ < 2^~^ for some p. By Lemma lGJ] (a) it follows | // — (| + d)| = ^| /(va^ o 
f) — p\ ^ 2~^. If \/d3p I J(/ o av_i) — p| < 2~^, then in particular there are p and q 
such that I f{f o av_i) — p\ < 2"^ and | /(/ o avi) — q\ < 2~^ . By Lemma WA\ (b) it follows 
l//-^(P + g)l = ll/(/°av_i) + /(/oavi)-(p + g)| <i(|/(/oav_i)-p| + |/(/oavi)-g|) < 
2^^ □ 

When extracting a program from the proof of Proposition l6.2l we may treat the equations 
of Lemma |6. II as axioms. The proof of Lemma [6 .11 is completely irrelevant for the extracted 
program and was given only to convince us of the truth of the equations. Here is the 
program extracted from the proof of Proposition I6.2[ 
integral : : CI -> Nat -> Rational 
integral c n = aux n c where 

aux Zero c = 

aux (Succ n) (ConsCl x) = itJl step x where 

step : : Kl CI Rational -> Rational 

step (Wl d cO = aux n c' /2 + fromSD d 

step (Rl (eN,_,eP)) = (eN + eP)/2 
We can try it out by evaluating, for example, integral (ImaCl 1.5) (iN 10). 

An interesting aspect of our integration program is the fact that it "adapts" automat- 
ically to the shape of the function. For example, if we integrate a smoother function, e.g. 
by changing above the index a = 1.5 to, say, 0.1, then we can increase the precision from 
2^^" to 2""^^ and observe about the same computation time. 

Remark. In [35] an algorithm for exact integration is given which is based on the equations 
of Lemma 16.11 as well and which uses ideas from [5j on a sequential implementation of the 
"fan functional" , but where the function to be integrated is given as a continuous function on 
signed digit streams. Unsurprisingly, our integration program is simpler and more efficient 
because in our case the integrand is given as a tree containing explicit information about 
the modulus of uniform continuity. In general, of course, our program is still exponential 
in the precision which is in accordance with general results on the exponential nature of 
integration [24] . 
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7. Conclusion and further work 

We presented a method for extracting from coinductive proofs tree-like data structures 
coding exact lazy algorithms for real functions. The extraction method is based on a 
variant of modified realizability that strictly separates the (abstract) mathematical model 
the proof is about from the data types the extracted program is dealing with. The latter 
are determined solely by the propositional structure of formulas and proofs. This has the 
advantage that the abstract mathematical structures do not need to be 'constructivized'. 
In addition, formulas not containing disjunctions are computationally meaningless and can 
therefore be taken as axioms as long as they are true. This enormously reduces the burden 
of formalization and turns - in our opinion - program extraction into a realistic method for 
the development of nontrivial certified algorithms. In particular, the very short proof and 
extracted program for the definite integral demonstrates that our method does not become 
unwieldy when applied to less trivial problems. 

Up to and including Sect. [3] the proof formalization and program extraction has been 
carried out in the Coq proof assistant. The formalization in Coq of proofs involving nested 
inductive/coinductive predicates such as C„ causes problems because Coq's guardedness 
checker does not recognize such proofs as correct. In order to circumvent these problems 
we are currently adapting the existing implementation of program extraction in the Minlog 
proof system [3] to our setting. However, we would like to stress that program extraction 
from proofs has turned out to be a very reliable and useful methodology for obtaining 
certified programs, even if the extraction is done with pen and paper and not supported 
by a proof assistant. We also plan to extend this work to more general situations where 
the interval I and the maps av^ are replaced by an arbitrary bounded metric space with 
a system of contractions (see [34] for related work), or even to the non- metric case (for 
example higher types). These extensions will facilitate the extraction of efficient programs 
for e.g. analytic functions, parametrised integrals, and set-valued functions. 

Although our extracted programs perform reasonably well, we do not claim to be able to 
compete with existing specialized software for exact real number computation (e.g. |29tl27j) 
regarding efficiency. Our aim is rather to provide a practical methodology for producing 
correct and verified software and combining existing fully specified correct (and trusted) 
software components. For example, existing efficient exact implementations of certain real 
functions could be formally represented in our logical system as constants which are axiom- 
atized by their given specification and realized by the existing implementation. In future 
work we plan to apply program extraction also to other areas, for example, monadic parsing. 
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